PRIMALITY TESTS FOR FERMAT NUMBERS AND 

2 2fc+l ± 2 k+l + L 

YU TSUMURA 

Abstract. Robert Denomme and Gordan Savin made a primality 
test for Fermat numbers 2 2 + 1 using elliptic curves. We propose 
another primality test using elliptic curves for Fermat numbers and 
also give primality tests for integers of the form 2 2k+1 ± 2 fc+1 + 1. 



1. Introduction. 

The integers of the form 2 2k + 1 with k > are called Fermat num- 
bers, named after Pierre de Fermat. For k = 0, 1, 2, 3, 4, Fermat 
numbers are prime. Fermat conjectured that all numbers of this form 
were prime numbers. However, in 1732 Leonhard Euler disproved this 
conjecture by factoring the fifth Fermat number 2 2 ° + 1 = 641-6700417. 
Not only was it disproved, but also no other Fermat primes have been 
discovered when k > 4. So checking the primality or finding factors of 
Fermat numbers attracts many people. 

Let us define the notation used in this paper. 

Definition 1.1. Let F k = 2 2 " +l,G k = 2 2k+1 + 2 k+1 + 1, and H k = 
2 2k+1 — 2 k+1 + 1, where k is assumed to be a positive integer. F k is 
called the kth Fermat number. 

In 1877, Pepin gave a very efficient primality test for Fermat num- 
bers. 

Theorem 1.2. (Pepin test). For k > 1, F k = 2 2k + 1 is prime if and 
only = -1 (mod F k ). 

Proof. See Theorem 4.1.2 in [2]. □ 

In this paper, we study group structures of elliptic curves defined 
over finite fields of order F k , G k , and H k (if they are prime). The 
essential role is the action of an endomorphism [1 + i] on the curves. 
After that we use the information of the group structure to give two 
primality tests for Fermat numbers which can be regarded as an elliptic 
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version of the Pepin test. Also, we give similar results for integers of 
the form 2 2k+1 ± 2 k+1 + 1. 

The original work in this direction was done by Benedict H. Gross in 
[I] for Mersenne numbers and by Robert Denomme and Gordan Savin 
in [3] for Fermat numbers and integers of the form 3 2 — 3 2 1 + 1 and 
2 2k — 2 2h 1 + 1, where k is a positive integer. Gross used the formula 
of the multiplication by 2 as a recursive formula and Denomme and 
Savin used the formula of the action of [1 + i] as a recursive formula 
for Fermat numbers. In this paper, we obtain the same primality test 
as Denomme and Savin in a slightly different approach and also give 
a new primality test which uses the formula of the multiplication by 2 
for Fermat numbers. Also, by the same method we give new primality 
tests for G k , H k . As you notice by the following proofs, Fk, G k and H k 
are the only numbers to which this method applies. 

We saw in Theorem 11.21 that there is a fast primality test for p = F k . 
There are also fast primality tests for p = G k and p = H k . For example, 
one could use Corollary 1 or Theorem 5 of [1J. These tests apply 
because p—1 is divisible by a power of 2 near v /p. These tests determine 
the primality of p of these three special forms in polynomial time. Our 
new tests below also run in polynomial time and are the first such tests 
using elliptic curves. 

2. Group Structure. 

The next theorem allows us to determine the order of certain elliptic 
curve groups. 

Theorem 2.1. Let p = 1 (mod 4) be an odd prime and let m ^ 
(mod p) be a fourth power mod p. Let E be an elliptic curve defined by 
y 2 = x 3 — mx. Let p = a 2 + b 2 , where a, b are integers with b even and 
a + b = 1 (mod 4). Let E(p) be the elliptic curve E defined over F p . 
Then we have #E(p) = p + 1 — 2a. 

Proof. See Theorem 4.23, page 115 in [6]. □ 

From now on, we fix an elliptic curve E : y 2 = x 3 — mx, where 
m ^ (mod p) is a fourth power mod a prime p. We denote by E(p) 
the elliptic curve group E defined over finite field ¥ p when p is prime. 
Also let E(¥ p ) be the elliptic curve E defined over the algebraic closure 
F p of F p and we denote by E[n] the elements in E(F P ) whose orders 
divide n. 

Corollary 2.2. (1) If F k is prime, then #E(F k ) = 2 2 " . 
(2) IfG k is prime, then #E(G k ) = 2 2k+1 . 
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(3) IfF k is prime, then #E(H k ) = 2 2k+1 . 

Proof. Let us first consider F k . The decomposition into two squares is 
F k = 2 2fe + 1 = l 2 + (2 2fe " 1 ) 2 and 1 + (2 2 "' 1 ) = 1 (mod 4). Hence by 
Theorem EH #E{F k ) = F k + 1 - 2 = 2 2 \ 

Next, let a = 2 k + 1 and b = 2 k . Then we have G k = a 2 + b 2 and 
a+b = 1 (mod 4). Hence we have #E(G k ) = G fe + l-2(2 fc + l) = 2 2k+1 
by Theorem 12. 1[ 

Similarly, let a = — (2 k — 1) and b = 2 k . Then we have H k = a 2 + b 2 
and a + b = 1 (mod 4). Hence #E(H k ) = H k + 1 + 2(2 fc - 1) = 2 2fc+1 . 

□ 

The next lemma gives information on the group structures of E(p) 
and E[n}. 

Lemma 2.3. Let E be an elliptic curve over a finite field ¥ p . Then we 
have 

E{p) = Z ni © Z„ 2 

for some positive integers n\ and n 2 with ni\n 2 . Also, if n is a positive 
integer which is not divisible by p, then we have 

E[n) Z n © Z n . 

Proof. See Theorem 3.1 and Theorem 4.1 in [6]. □ 

Let p denote one of F k , G k and H k . Suppose p is prime. By Corollary 
12 .21 and Lemma [231 the group structure is E(p) = Z 2 « ©Z 2 /s with a < (3 
and a+(3 = 2 k ifp = F k and a+(3 = 2k+l ifp = G k orp = H k . Since m 
is a 4th power, all the roots of x 3 — mx are in ¥ p and also in the subgroup 
E[2] = Z 2 © Z 2 by Lemma Then Z 2 © Z 2 = E[2] C E(p), hence 
E(p) is not cyclic. However, we can determine the group structure of 
E(p) precisely. First we need two lemmas. 

Lemma 2.4. Let n be a positive integer which is not divisible by a 
prime p. Let <ft be the Frobenius endomorphism on E(F P ) given by 
(f)(x,y) = (x p ,y p ). Then E[n] C E(p) if and only if <f> — 1 is divisible 
by n in End(-E'). 

Proof. See Lemma 1 in [5]. □ 

Lemma 2.5. If #E(p) = p+1 — A, then the Frobenius endomorphism 
<p satisfies cf) 2 — Acf) + p = as an endomorphism of E. 

Proof. See Theorem 4.10, page 101 in [6]. □ 

Theorem 2.6. Suppose F k is prime. Then we have 

E{¥ k ) = Z 22 fc-1 © Z 22 fc-1 . 
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Proof. Since j^E{F k ) = F k + 1 — 2, the Frobenius endomorphism 
satisfies <fi 2 — 2<f)+F k = in End(-E) by Lemma [231 and hence (0— l) 2 = 
— 2 2 \ Since End (£7) = Z[z] (see chapter 10 in [6] ), it is a unique 
factorization domain. Therefore <fi — 1 = ±z2 2 , and hence 2 2 
divides 0- 1. Then E^' 1 } C E(F k ) by LemmalU Since E[2 2k ~ 1 } = 
Z 22fc -i © Z 22fe -i by Lemma E31 we have #£[2 2fe_1 ] = (2 2 "" 1 ) 2 = 2 2 * = 
#E(F k ). Therefore we have E(F k ) = E[2 2k ' 1 } S Z 22fc -i © Z^-i. □ 

Theorem 2.7. Suppose G k is prime. Then we have 

E(G k ) = Z 2 & © Z2J5+1. 

Proo/. From Corollary E21 we know that #E(G k ) = 2 2k+1 = G k + l- 
2(2 k + 1). Hence the Frobenius endomorphism <fi satisfies 2 — 2(2 k + 
l)<P+G k = 0. Then we have (0-l) 2 -2 fc+1 (0-l)+2 2fe+1 = 0. Therefore, 
<p - 1 = 2 k {\ ± z). Hence 2 fc divides - 1 and we have E[2 k ] C E(G k ) 
by Lemma [23 Since #E[2 k ] = 2 2k and #E(G k ) = 2 2k+1 , the group 
structure of E(G k ) must be E(G k ) = Z 2 fe © Z 2 fc+i by Lemma [2.31 □ 

Theorem 2.8. Suppose H k is prime. Then we have 

E(H k ) — Z 2 fc © Z 2 fc+i. 

Proof. Just note that the Frobenius endomorphism satisfies 2 + 2(2 fc — 
1)4>+H k = 0. Hence 0—1 = (— l±z)2 fc . The rest of the proof is identical 
to that of Theorem 12 .71 □ 



3. Primality test 

Again let p be one of F k , G k and H k . As we noted in the proof 
of Theorem I2.6[ E has complex multiplication by Z[z]. For a detailed 
explanation about complex multiplication, see chapter 10 in [Bj. The 
action of i on (sc, y) & E is given by [i] • (x, y) = (— x, iy), where the i 
in (—x, iy) is a 4th root of unity in ¥ p . This i exists in ¥ p since p = 1 
(mod 4). Note that as an endomorphism, i has degree 1 and hence it 
is an isomorphism. Now, let us denote r\ = 1 + i in End(E). This 
endomorphism is very important in this paper. Let us describe the 
action of r\ on (x,y) explicitly. Let r\ ■ (x,y) = (x',y'). We have 

V ■ (x, y) = [! + *] • (?, y) = (x, y) + [i] ■ (x, y) = (x, y) + (-x, iy) 
and by the elliptic curve addition, it is equal to 
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where y' = y l 2 l ] v j (x — x') — y. Note that by the equation (13. ip . 

the ^-coordinate x' of n • (x, y) is a square and by the equation (13. 2p . 
x' can be computed without using y. Also note that r\ has degree 2, 
hence #Ker(i]) = 2. Clearly, (0, 0) is in the kernel and so Ker(?7) = 
{00, (0, 0)}, where 00 is the identity of E. 

Note that rf = 2i and rf 1 = e2 l , where I is a positive integer and 
e = ±1, ±2. Since e = ±1, ±i are isomorphism, we do not care about 
this factors. We will use e for ±1, ±i in this paper, but e might have 
different values at each occurrence. 

3.1. Primality test for Fermat numbers. Now we can state a the- 
orem which can be converted into a primality test. 

Theorem 3.1. Let r\ = 1 + i in End(-E'). Let P = (x,y) on E, where 
x is a quadratic non-residue mod F k . Then F k is prime if and only if 
^-ip = ( 0)0 ). 

Proof. Suppose F k is prime. In the proof of Theorem 12.61 we have seen 
that <p — 1 = e2 2 = en 2 . Hence, we have Ker(n 2 ) = Ker(0 — 1) = 
E(F k ). Since #Ker(r/) = 2 and #E(F k ) = 2 2 \ we have Ker(?f) = 
lm(rj 2k ~ s ) for s = 1, 2, . . . , 2 k . Assume P = nQ for some Q G E{F k ). 
Then as we noted above, the x-coordinate x of nQ = P is a square. 
However, we assumed that x is a quadratic non-residue mod F k , hence 
P is not in the image of n. Observe that n 2 ~ l P 7^ 00 since otherwise 
P G Ker(n 2 _1 ) = Im(?7), but P ^ lm(n). Since rf ~ l P 7^ 00 and 
rj 2 = 00, we have rj 2 = (0, 0). 

Conversely, suppose rf ~ l P = (0,0). Assume F k is composite and 
let q be a prime divisor such that q < V^fc- It is known that a divisor 
of a Fermat number is congruent to 1 modulo 4. (See [I2J). Then 
rf~ x P = (0, 0) holds in the reduction E(q). It follows that 2 2k ~ 1 - 1 P = 
erf ~ 2 P 7^ 00. Also we have 2 2 1 P = erf P = 00, therefore P has 
order 2 2 * -1 . Assume that {P, iP} is a basis of E^' 1 ]. Note that iP G 
£ l (g) since j G F, when q = 1 (mod 4). So we have E[2 2 ] C -E(g), 
hence 2 2fc < #E(q). However, #E(q) < (y/g+1) 2 by Hasse's Theorem. 

Hence, we have q 2 - 1 < F 2 - 1 = 2 2 " < #E(q) < (y/q + l) 2 . This 
inequality holds only for q = 2. However, clearly q is an odd prime. 
Hence it is a contradiction. Therefore F k is prime. 

To complete the proof, we need to prove that {P, iP} is a basis of 
E[2 2 ]. Suppose uP + v{iP) = 00 for some integers u, v. Let u = 2 a u' 
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and let v = 2 l3 v' with u', v' odd. Since the order of P is a power of 2, 
we have a = (3. Now (vf + v'i){2 a P) = oo =>■ (w' 2 + t/ 2 )(2 a P) = oo =>■ 
u' 2 + v' 2 = (mod 2 2fe_1 ~ a ). Since w' 2 + t> ' 2 = 2 (mod 4), the above 
congruence holds only if a = 2 k ~ l or a = 2 k ~ 1 — 1. If a = 2 , then 
it = u = (mod 2 2 ), and hence they are independent. 

Next let us consider the case a = 2 k ~ 1 — 1. Let P' = (2 2 ~ _1 )P. 
Then P' has order 2. Hence P' is either (0,0) or (±-^/m, 0). However, 
77P' = ^ . (erf ~ 2 )P = erf _1 P 7^ 00, hence we have P' ^ (0,0). 
Therefore, P' is either (y/m, 0) or (— -y/m, 0). If P' = {\/rn, 0), then 
00 = (■u'+?/z)(y / m, 0) = u\y/m, 0) + v'(—y/m, 0) with odd it', f'. Since 
{(v^ ; 0), (— \/m, 0)} is a basis for E[2], they cannot be dependent 
with odd coefficients. The same thing happens when P' = (—y/m,0). 
Therefore, P and iP are independent, and this completes the proof. □ 

Hence, to check the primality of Fermat numbers, we need to cal- 
culate rf ~ l P for a point P with a quadratic non-residue x-coordinate 
mod Pfc. However, we need not to calculate a ^-coordinate since when 
an x-coordinate is 0, so is the ^/-coordinate. Also as noted above, to 
calculate the x-coordinate of r/P, the y-coordinate of P is not used. 

For example, take m = 1 and P = (5, 2y / 30) on E : y 2 = x 3 — x. 
It is straightforward to check 5 is a quadratic non-residue and 30 is a 
quadratic residue mod Fk- Hence P satisfies the conditions of Theorem 

Here is the algorithm to check the primality for F^. Let Xq = 5 and 

let 



if gcd(xj_i, Fk) = 1 for j > 1. Note that Xj is the x-coordinate of 
ifP. Here i is a primitive 4th root of unity in Ff. and it is explicitly 
i = 2 2 1 . If gcd(xj, Pfc) > 1 for some j < 2 k — 1, then F^ is composite 
and we terminate the algorithm. If we calculate x 2 fc_i and it is 0, then 
Pfc is prime. If x 2 fc_i 7^ 0, then Fj. is composite. 

Remark 3.2. We do not need to find v^30 mod F k explicitly. We just 
needed to know that the point P = (5, 2\/30) is on E : y 2 = x 3 — x. 
What we need is only the x-coordinate in the algorithm. 

An alternative primality test can be deduced by noting equivalent 
conditions as in the next lemma. 

Lemma 3.3. Let P be a point on E with a quadratic non-residue x- 
coordinate mod Then rf _1 P = (0,0) if and only if 2 2 P = 
(y/m, 0) or (— \/m, 0). 
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Proof. Suppose rf -1 P = (0,0). Then we have r](2 2k 1_1 P) = er/ ■ 
rf ~ 2 p = (0,0). Therefore we have 2 2 1_1 P 7^ 00, (0,0), otherwise 
the image by 77 is 00. Also, we have 2(2 2 P) = 2 2 1 P = erj 2 P = 
er}{0, 0) = 00. Therefore 2 2fc_1 P e E[2] \ {00, (0, 0)}. That is, 2 2 " _1 P = 
(v/m, 0) or (-y/m, 0). 

Conversely, suppose 2 2 P = (±y/m, 0). We have 

(0, 0) = t?(±V^, °) = r i^ 1 ) p = m %h ~ x P- 

Hence, we have rf X P = (0,0). □ 

So now we have shifted from the multiplication by 77 to the multipli- 
cation by 2. Multiplication by 2 of a point P = (x,y) on the elliptic 
curve E : y 2 = x 3 — mx is described as follow. 

„, . / x A + 2mx 2 + m 2 „. A 

2(x,y) = — — — ,yR(x) 

\ 4(ar — mx) J 

for some rational function R(x). (See Example 2.5, page 52 in [6].) Let 
P = (xo, 2/0) be a point on P with a quadratic non-residue x-coordinate 
mod p. Let 

arf ! + 2mx 2 „ 1 + m 2 
1 4(x|_ 1 — mxj-i) 

modulo F k if gcd((x^_ x — mxj_i), P^) = 1 for j > 1 inductively. Hence 
Xj is the x-coordinate of 2 J P. If we can proceed to calculate x 2 k-i_ 1 
and this is ±\/m, then P& is prime. Otherwise Fk is composite. 

For example, let us consider the same example as above. Let m = 1 
and P = (5, 2y / 30) on E. Then the algorithm to check the primality 
for Pfc is as follows. Let Xq = 5 and we define inductively 

x i-i 

+ 2xj_ 1 + 1 

if gcd((a^_j - arj-i),^) = 1 for j > 1. If gcd((x|_ 1 - ary_i), i 5 ^) = 1 
for some j < 2 k ~ l — 1, then P& is composite and we terminate the 
algorithm. If we calculate a^fc-i-i an d this is ±1, then P& is prime. 
Otherwise P& is composite. 

Remark 3.4. Although the recursion formula for Xj looks more compli- 
cated than before, the number of recursions is reduced to 2 fc_1 — 1 from 
2 k - 1. 
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3.2. Primality test for 2 2k+1 + 2 k+1 + 1. 

Theorem 3.5. Let P = (x,y) be a point on E, with x is a quadratic 
non-residue mod Gk- Then Gk with k > 2 is prime if and only if 
f^Pe £[2]\{oo}. 

Proof. Suppose G k is prime. We have #(r] 2k E(G k )) = #(e2 fc £(G fc )) = 
2. We have seen that — 1 = er/2 k = erf k+1 when Gk is prime 
in the proof of Theorem 12.71 Since Ker(0 — 1) = E(Gk), we have 
r 1 (T 1 2k E(G k )) = oo, and therefore Tf k - l E(G k ) = E[2\. 

Now that we know that E{G k ) = Ker(r] 2k+1 ) and #Ker(f?) = 2 in ad- 
dition to #E(G k ) = 2 2k+1 , it is easy to see that Ker(rf ) = lm(r] 2k+1 - s ), 
for s = 0, 1, . . . , 2k + 1. Since x is not a square mod p, P is not in the 
image of 77. Hence, we have r] 21 P G E[2] \ {00}. Let us show this. 
If rf k ~ l P = 00, then P G Kei{rf k ^ 1 ) = lm(r] 2 ). Since P is not in the 
image of rj, this is a contradiction. Hence rj 2k ~ 1 p ^ 00. 

Conversely, suppose r] 2k ~ l P g £?[2] \ {00}. Assume G k is composite 
and let q be a prime divisor of such that q < \/Gk. Then r/ 2k ~ 1 P G 
£7[2] \ {00} holds in the reduction E(q). Then r/ 2k ~ 1 P is one of (0, 0) or 
(±Vm, 0). \ir] 2k - l P = (0, 0), then we have 2 k ~ 1 P = tr] 2k ' 2 P ^ 00 and 
2 k P = er] 2k P = 00. Therefore P has order 2 k . If r} 2k ~ x P = (y/m,0), 
then let P' = r]P. Then we have r) 2k ~ l P' = r)(y/m,Q) = (0,0). This 
is the same situation as the case rf k ~ l P = (0,0), hence P' has order 
2 k . The case rj 2k ^ l p = (— y/m,0) is similar and r]P has order 2 fc . We 
have seen in any case, there exists a point (P or rjP) of order 2 k . Let 
i? denote this point. Let us assume that {R,iR} is a basis for E7[2 fe ]. 
It is easy to check that every divisor of Gk is congruent to 1 modulo 4. 
So iR G E(q) and hence E[2 k ] C -E(<?). Therefore we have 

2 2 fc = m2 k } < < ( ^ + 1)2 < (G l/4 + 1)2 

However, this inequality does not hold for k > 2, and therefore is 
prime. 

To complete the proof, we need to show that {R, iR} is a basis for 
£7[2 fe ]. Suppose uR + t> (ii?) = 00 for some integers u, v. Let u = 2 a u' 
and let v = 2 l3 v' with u', v' odd. Since the order of R is a power of 
2, we have a = p. Now (u' + v'i){2 a R) = 00 (w' 2 + w /2 )(2 Q J R) = 
00 =>- w' 2 +f' 2 = (mod 2 k ~ a ). Since w' 2 + t>' 2 = 2 (mod 4), the above 
congruence holds only if a = k or a = k — 1. If a = k, then w = v = 
(mod 2 k ), and hence they are independent. 

Next, let us consider the case a = k — 1. Let R' = 2 k ~ 1 R. Then P' 
has order 2. Hence i?' is either (0,0) or (i-^/m, 0). However, we have 
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\ n- r] 2k ^P = rj(l ± v 7 ^, 0) = (0, 0) ^ oo ii R = r]P. 

Hence R' ^ (0,0). Therefore P' is either (y/m,0) or (— \/rn, 0). If 
R' = (-y/m, 0), then oo = (u' + v'i)(y/m, 0) = u'(y/m, 0) + v'(—y/rn, 0) 
with odd w', v' . Since {(y^, 0), (— \/m, 0)} is a basis for E[2], they 
cannot be dependent with odd coefficients. The same thing happens 
when R' = (y/m, 0). Therefore, R and iR are independent. □ 



To use Theorem 13. 51 we need to find a point on E whose x-coordinate 
is a quadratic non-residue mod Gk- It is straightforward to check the 
following. 

• 3 is a quadratic non-residue mod Gk if and only if k is even. 

• 5 is a quadratic non-residue mod Gk if and only if k = 1 
(mod 4). Also If A; = 0,3 (mod 4), then Gk is divisible by 



• 7 is a quadratic non-residue mod Gk for all k > 1. 

Using these facts, we can choose specific initial values depending on 
k. Since Gk is composite when k = 0, 3 (mod 4) from the above fact, 
we only need to consider the cases when k = 1 (mod 4) and k = 2 
(mod 4). 

When k = 2 (mod 4), we take m = 1 and P = (7,4a/2T) on £ : 
y 2 = x 3 — x. Note that 21 = 3 ■ 7 is a quadratic residue mod Gk since 
both 3 and 7 are quadratic non-residues. 

When k = 1 (mod 4) and fc > 1, we can take m = 3 4 (3 does 
not divide G k ) and P = (5, 2v^70) on E : = x 3 - 3 4 x. Note 
that —70 = — 2 ■ 5 ■ 7 is a quadratic residue mod Gk since —2 is a 
quadratic residue (because G^ = 1 (mod 8)) and 5 and 7 are quadratic 
non-residues from the above facts. 

Then the algorithm to check the primality of Gk is as follows. Let 
xq = 7 when k = 2 (mod 4) and xo = 5 when = 1 (mod 4). Then 
let Xj = (x]-i — l)/(2zxj_i) if gcd(xj-i,Gk) = 1 for j > 1 inductively. 
As before this is the x-coordinate of rfP. If gcd(sEj_i, Gk) > 1 for some 
j < 2k — 1, then Gk is composite and we terminate the algorithm. If 
we calculate X2k~i and this is ±1, then Gk is prime. Otherwise, Gk is 
composite. 



3.3. Primality test for 2 2k+1 - 2 k+1 + 1. Now let us discuss H k = 
2 2fc+i _ 2 fc+i _|_ i_ By Theorem EH we know that - 1 = er] 2k+1 . 
Therefore the proof of the next theorem is identical to that of Theorem 

EE 



T]R' = T] ■ (er] 2k - 2 )R = erf^R 




HR = P 



5. 
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Theorem 3.6. Let P = (x,y) be a point on E, with x is a quadratic 
non-residue mod H^. Then H^, k > 2 is prime if and only if 7] 2k ~ l P 6 
£[2]\{oc}. 

Again to use Theorem 13.61 we need to find a point on a curve whose 
s-coordinate is a quadratic non- residue mod H^. The following is easy 
to check. 

• 3 is a quadratic non-residue mod Hk if and only if k is even. 

• 5 is a quadratic non-residue mod Hk if and only if k = 3 
(mod 4). Also when k = 1, 2 (mod 4), 5 divides H^. 

• When k = 4 (mod 12), 13 divides H h . 

Hence when k = 3 (mod 4), we can take m — 1 and a point (5, 2\/30) 
on E : = x 3 — x. Here 30 = 2 ■ 3 • 5 is a quadratic residue by the 
above facts. 

The remaining cases are when k = 0, 8 (mod 12), otherwise 5 or 13 
divides H k . However, it seems difficult to find a suitable small initial 
value. So we further divide the cases into k = 0, 8, 12, 20, 24, 32, 36, 
44 (mod 48). Then for example, we can take following values for m 
and an initial value Xq. 



k (mod 48) 


m 


x 


8 


19 4 


8-13 


12 


20 4 


5-17 


20 


2 4 


13 


24 


21 4 


7-257 


36 


25 4 


9-673 


44 


43 4 


673 



These are easy to check using a computer. Note that for these cases, 
gcd(m, Gk) = 1 since a prime divisor of m is either 5 or congruent to 3 
(mod 4). In the above list, we excluded the cases k = 0, 32 (mod 48). 
It seems that there are no small values which satisfy the conditions. 
Alternatively, we can further increase the modulus. Now let us consider 
it modulo 144. Then the remaining cases k = 0, 32 (mod 48) become 
k = 0, 32, 48, 80, 96, 128 (mod 144). Then for example, we can take 
the following values. 



k (mod 144) 


m 


x 


32 


6 4 


73 


48 


18 4 


2-3-19 


80 


5 4 


13 


96 


99 4 


3-433 


128 


65 4 


2 • 13 
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Again, we excluded the case when k = (mod 144). Here again, note 
that for these cases gcd(m, Gk) = 1 since a prime divisor of m is either 
5 or congruent to 3 (mod 4). If we allow a larger modulus, then we 
might find a set of initial values for every k. (We want an initial value 
when k = (mod 144).) 

Once we have set an initial value, then the algorithm to check the 
primality of Hk is the same as the algorithm for Gk, simply replace the 
initial value and replace Gk by H k . 
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